Permission to verify
core idea
The core of the so-called authority verification, validation is whether the current account has a permission code is: let you pass, no: so access is prohibited Went to the bottom again, saying, is that each account will have a permission code set, to verify whether the collection I include I need to detect the access code For example: the current account has access code sets: [“user:add”, “user:delete”, “user:get”], then I try to verify the permission code: “user:update”, the result is authentication failure, the access is prohibited, so now the core of the problem is:
- How do I get the set of permission codes that an account has
- Which is the permission code to verify in this operation
Gets the current account permission code set
Because the requirements of each project are different and the permission design is constantly changing, it is impossible to build [get current account permission set] into the framework, so sa-Token exposes this operation to you as an interface, so that you can easily rewrite it according to your own business logic
- All you need to do is create a new class and override the StpInterface interface, such as the following code:
package com.pj.satoken;
import java.util.ArrayList;
import java.util.List;
import org.springframework.stereotype.Component;
import cn.dev33.satoken.stp.StpInterface;
/** * Custom permission validation interface extension */
@Component // Ensure that this type is scanned by Springboot to complete the extension of custom sa-token permission verification
public class StpInterfaceImpl implements StpInterface {
/** * returns the set of permissions that an account has */
@Override
public List<String> getPermissionCodeList(Object loginId, String loginKey) {
// This list is only for simulation. In actual projects, permissions should be queried according to specific business logic
List<String> list = new ArrayList<String>();
list.add("101");
list.add("user-add");
list.add("user-delete");
list.add("user-update");
list.add("user-get");
list.add("article-get");
return list;
}
/** * Returns a set of role identifiers owned by an account (permissions and roles can be verified separately) */
@Override
public List<String> getRoleList(Object loginId, String loginKey) {
// This list is for simulation only. In actual projects, roles should be queried according to specific business logic
List<String> list = new ArrayList<String>();
list.add("admin");
list.add("super-admin");
returnlist; }}Copy the code- Reference code: code cloud: stpInterfaceImpl.java
Verifies that the specified permission code is included
You can then use the following API for authentication
Stputil.haspermission (Object pcode) - Checks whether the current account has the specified permission, returning true or falseCopy the codeStputil.checkpermission (Object pcode) - Checks whether the current account has the specified permission and passes safely if it does, and throws an exception if it does not: NotPermissionException - Extension: The NotPermissionException object gets the exception thrown by which StpLogic using the getLoginKey() methodCopy the codeStpUtil.checkPermissionAnd(Object... Pcode) check whether the current account has specified permissions.Copy the codeStpUtil.checkPermissionOr(Object... Pcode) - check whether the current account contains specified permissions.Copy the codeIntercepting global exceptions
I have a question, authentication fails, throws an exception, and then what? Do you want to show the exception to the user? Instead of throwing exceptions to the user, you can create a global exception interceptor that returns the same format to the front end, as in the following example:
- For reference: code cloud: GlobalException.java
Write in the last
Open source, the author is not easy, if you like this framework trouble you conveniently point a little star oh!
- Official documentation: sa-token.dev33.cn/
- Gitee open Source address: gitee.com/sz6/sa-toke…
- GitHub open Source: github.com/click33/sa-…
